1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.

Slides:



Advertisements
Similar presentations
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Advertisements

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Separate Domains of IT Infrastructure
Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1.
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
IT Security Auditing Martin Goldberg.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Chapter 3: Information Security Framework
Session 3 – Information Security Policies
IT Service Delivery And Support Week Eight IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.
Internal Auditing and Outsourcing
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Chapter Two Ethical & Legal Issues.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
SEC835 Database and Web application security Information Security Architecture.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS.
Service Organization Control (SOC) Reporting Options and Information
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
David N. Wozei Systems Administrator, IT Auditor.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Roles and Responsibilities
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Chapter 6 of the Executive Guide manual Technology.
Information Systems Security Operational Control for Information Security.
Auditing Information Systems (AIS)
Mobile Banking By: Chenyu Gong, Jalal Hafidi, Harika Malineni.
Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Change and Patch Management Controls
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Guide - Recordkeeping for business activities carried out by contractors Natalie Dewson Senior Advisor Government Recordkeeping Programme Archives New.
Security in ERP Systems By Jason Rhodewalt & Marcel Gibson.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Jeff Miller Tamra Pawloski IT Procurement Summit headline news…
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Csci5233 computer security & integrity 1 An Overview of Computer Security.
ISO/IEC 27001:2013 Annex A.8 Asset management
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
The Law Offices of Sheila Deselich Cohen. Generally subject to the Employee Retirement Income Security Act of 1974 (“ERISA”). Two main types of plans:
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.
Working at a Small-to-Medium Business or ISP – Chapter 8
INTRODUCTION TO ISO 9001:2015 FOR IMPLEMENTATION Varinder Kumar CISA, ISO27001 LA, ISO 9001 LA, ITIL, CEH, MEPGP IT, Certificate course in PII & Privacy.
Cyber Issues Facing Medical Practice Managers
IS4680 Security Auditing for Compliance
Final HIPAA Security Rule
IS4680 Security Auditing for Compliance
Presentation transcript:

1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004

2 Outsourcing Basic Terminology  Service Provider IT Operations Services Business Services (e.g. Call Centers) Program Coding  Receiver or “Receiving Company”  Performance Both Parties  Monitoring Performance Against Contract and SLA Specified Benchmarks

3 The Basic Issues  Assumptions Scope of services Who is responsible for what Who is accountable “they must be secure” Privacy assurance and liability Recovery capability How much “extra” will cost  Serious misconceptions about the “SAS/70”  Downstream Service Providers overlooked

4 Outsourcing  Proper Risk Assessment  Contract  Service Level Agreement  Performance Reporting Monitoring Performance Against Contract and SLA Terms  Remedy

5 Contract Specifics

6 General Considerations  Change in Financial Soundness  Change in Business Strategy  Notification of Downstream Outsourcing  Benchmarking  Separation of Duties  Records Retention  Penalties Exit Clause  Governance and Management

7 Managing Risks to Confidentiality  Information Ownership Access to Data  Intellectual Property Access to Programs  Logs and Log Retention  Data Disposal – all media  Encryption  Test Data

8 Access Provisioning Administration  Access Requests  Password Resets  Logical Partitions  Authorization Verification  Roles of Provider and Receiver  Password Formats  Logs and Log Retention  Access Reports to Owners

9 Vulnerability Management  Intrusion Prevention Requirements  Intrusion Detection and Monitoring  Malicious or Suspicious Activity Notification  Filing of Regulatory Reports for Suspicious Activity  Penetration Simulations

10 Audits  Independent Auditor Report  Right to Audit  Right to Audit Downstream Outsourcing Note: Technology and business continuity is no longer verified in a SAS/70

11 “Disaster Recovery”  Provider’s Business Recovery  Technology Recovery Capability  Point of Restoration Data Programs  Testing (full testing)  Downstream Provider Capability